* Resources for getting early warnings of vulnerabilities, threats and incidents

In this column, I review three important aspects of early warnings in CIRT management: notification of vulnerabilities, notification of threats and notification of incidents.

Vulnerabilities

A computer incident response team (CIRT) relies on operations managers to maintain adequate defenses by maintaining up-to-date system and application software. The subject of patch management is complex and will be discussed in another series, but I can remind readers that there are many resources on which to draw for notification of newfound vulnerabilities. Each network-equipment and system-software vendor generally provides a notification service; many organizations have one of their employees subscribe to these to keep up with the news.

A better approach, less susceptible to interruption, is to set up a special e-mail address for all the subscriptions and to assign one or more people to read that mail every day. If one of the team members is away on assignment or on vacation, be sure that a replacement person takes over the task of scanning the notices to spot anything that is relevant to your network configuration. Instead of forwarding the messages to an individual’s mailbox, all of them can be kept in a separate mailbox accessible to everyone on the team.

There are also many newsletters that summarize vulnerabilities; I particularly like “@RISK: The Consensus Security Alert” from the SANS Institute; you can subscribe at no cost using:

Finally, regular readers will recall that the Common Vulnerabilities and Exposures (CVE) dictionary ( http://cve.mitre.org/ ) is a superb compendium of standardized names for vulnerabilities and exposures. MITRE writes, “CVE aspires to describe and name all publicly known facts about computer systems that could allow somebody to violate a reasonable security policy for that system.”

MITRE also uses the term “exposure” and defines it as “security-related facts that may not be considered to be vulnerabilities by everyone.” You can download the CVE in various formats or you can use the ICAT Metabase ( http://icat.nist.gov/icat.cfm ) to search the CVE for various subsets of vulnerabilities (e.g., by product, version, type, and so on). At the time of this writing (late June) there were 6,663 vulnerabilities in the CVE. As a side note, of these, 1,383 involved buffer overflows (about one-fifth).

Threats

There’s a wide range of resources keeping track of security threats. By staying up to date about new threats, you can improve your defenses before you are attacked; e.g., if particular attacks are growing in frequency and there are configuration changes or other measures you can take to stave them off, early warning is a real help. Some of the more popular alert letters - and where you can subscribe - include:

Finally, it’s important to know when there’s an incident happening in your own system. Intrusion detection systems should be configured to alert CIRT or network management personnel at once when there are successful intrusions, disturbances of network performance, equipment malfunctions and other incidents. There are systems available to coordinate output from network and security systems for rapid notification; for example, the GFI LANguard Security Event Log Monitor (S.E.L.M.) is described as follows: